US militarized police state

Is the United States becoming a Militarized Police State? Are we allowing Washington to act as a conduit funneling the nations treasury to the powerful? Or are we the greatest country on Earth ? Here are some solutions to tame the forces that are suggested by the Anti-Patriot "Patriot Act"

One possible future of the United States:

May I ask you to assume, just for the sake of argument, that the deterioration of our educational system is not entirely an accident ? And that the permanent warfare state, and the elimination of countries that are so different from ours that they seem like they need to be "liberated" - will increase hostility to us that as the different countries grow up they will eventually possibly turn on us - and punish us economically, after we have "standardized them". That we may end up becoming a country that cannot maintain adequate defenses as our competitiveness declines, until our main card is nuclear weapons, that we end up a becoming what we would call a rogue state ? Convinced of our "American Exceptional-ism", essentially Jingoistic fanatics ?

That was the story George Orwell described in 1984.

Here are the key threats to you personally if you wanted to put a halt to this scenario.

You cannot have real democracy without an educated citizenry. You cannot have an educated citizenry if the average family has to go to mediocre schools, and college becomes a huge financial crucifixion. We cannot solve these problems with a compromised deceitful Government essentially run by the rich and powerful.

This has already started to happen.

I have found that search engines and websites are so eager to "match" your interests, that it becomes difficult to get information sources other than the ones you are allready familiar with. I searched for power generators for my company - and now all I see are generators on the Internet - every where I look. I watched Sons Of Malcolm - a very angry man - who has performed a useful service in interviewing people in Loyalist Gaddafi-ist Libya.

I was somewhat offended when I searched for Libya News and his latest video was the first on my list. There were other videos that were more popular more recent and more highly rated, but apparently now I must watch Pro Gaddafi Videos first!

I also have been searching for alternate points of view, I am worried that this will trigger intelligence services to consider me a potential threat - i wont even use the word - that you can imagine I would worry about - that is how chilling things are now. I am fairly headstrong and some might say foolhardy - but I am afraid to even use the word on this page.

So I worry. Not as much for me but for my family, for whom I am the sole supporter, even down to my relatives through marriage. I have mentioned this I know. But as they owl says in Bambi "it could happen to you! Or you! It could even happen to you!" (in that case re: falling in Love).

Here is what could happen if we don't put a stop to all this nonsense.

Google becomes filtered. You see only what they want you to see.

Facebook and Youtube are allready monitored extensively. Similar to the red scare, where communist sympathizers were tracked as well as their friends, people with controversial views will be shunned, your former best friend unfriends you for fear that he will be followed.

The conclusion is that, after an educated citizenry, information is the coin of the realm. the key to a true democracy or republic. Search Engines and social networking and the Cloud are simply too important to entrust in private corporations until we quash things like unprovoked military action (Iraq, Libya, Grenada, Panama, Serbia, Vietnam, etc) and creepy things like the Patriot act.

We must make them open source and transparent. We must make them able to evade security services which either collaborate with or pressure private companies to hand out information.

A man without a country: Kurt Vonnegut

Open Source decentralized secure information is the only way to guarantee both personal privacy and access to information that could eventually be removed from search engines!

We have two known models:

File sharing, such as Napster and DC++ and Torrent

Pretty Good Privacy, which was designed to protect people in totalitarian states, this type of approach is used by human rights organizations.

File sharing is very difficult to stop completely.

Pretty Good Privacy is very hard to decrypt.

This leaves the problem of your device itself. Malicious software created by Government as well as criminals allready can enter your computer. Most tech types find the key logger one of the worst.

The solution to this is that the hardware and software has to be open source.

Unfortunately. Now its not impossible. A device can be attached to your network, which would have to be trusted, perhaps two devices, which could see all your network traffic and alert you of any data that you did not authorize. It would also need to scan the radio and microwave spectrum to ensure that your computer was not emitting the information through the only other escape valve, a wireless transmitter.

I admit this is ultra paranoid. But if you want to design a truly secure system you have to defend it from every possible attack.

Ultimately we need to build a humane educated global society, because yes, these tools could be abused, and imagine the day when technology is so advanced - that people who want to use violence can essentially destroy the planet. In the meantime we need to do something like this.

It is outrageous that personal information (this is your "content" which you are the "publisher" of, this is your unique contribution to global information.

Ian Lamont writes "Suspicions about China slipping eavesdropping technology into computer exports have been around for years. But the recent spying attacks, attributed to China, on Google and other Internet companies have revived the hardware spying concerns. An IT World blogger suggests the gear can't be trusted, noting that it wouldn't be hard to add security holes to the firmware of Chinese-made USB memory sticks, computers, hard drives, and cameras. He also implies that running automatic checks for data of interest in the compromised gear would not be difficult." The blog post mentions Ken Thompson's admission in 1983 that he had put a backdoor into the Unix C compiler; he laid out the details in the 1983 Turing Award lecture, Reflections On Trusting Trust: "The moral is obvious. You can't trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code. In demonstrating the possibility of this kind of attack, I picked on the C compiler. I could have picked on any program-handling program such as an assembler, a loader, or even hardware microcode. As the level of program gets lower, these bugs will be harder and harder to detect. A well installed microcode bug will be almost impossible to detect."

Bill Moyers On His Journalism Career: Democracy Should Be a Brake on Unbridled Power. 1 of 2

A Call For guaranteed pristine access to information and protection of your information.

We will still use Private Company Software and Hardware - but when we are worried, about our legal and financial and romantic and political protection, and our access to information from all viewpoints we use these secure decentralized services.

People Like Mr Weiner would not have had their careers ruined if they had a truly secure mobile device. Now you may say he got his just deserts, but many people go a little crazy for a short period of time, suffering from a sudden surge of sexuality, as they start balding for example. Its really none of our business. Prurient sanctimonious rigid people do not often make for real thinkers. Most of the important thinkers of the sixties, including JFK had affairs, got drunk and made fools of themselves and went on to save humanity. Do we tar and feather them. and drive them out of needed service ?

1. Secure Open Search Engine.

2. Secure Open online social networking.

3. Secure Open Hardware for a network device that verifies no data you haven't authorized has left your computer.

5. Secure Open Source Cloud Computing.

This is an option, not a threat to public companies, and they may pick up a thing or 2.

I would like to point out I developed a framework like this in 2001-2 and the company I worked for thought it was a confusing mediocrity. I called it "Internet Directory Services

Of course all this can be blocked by the ISPs, but it cant be entirely halted. Additionally local ISPs can still make good money and function as a transparent coop, or something along those lines. With this system, an ISP can be completely monitored, as long as it can get to the Internet it will be difficult to block.

Wikileaks has had to do a lot of this, but they dont share there technologies, and they certainly have not yet been nearly this ambitious.

* * *

Pretty Good Privacy excerpted from Wikipedia: (Pretty secure open source right there, but I doubt it could withstand the assault of a powerful government security service.

Compatibility

As PGP evolves, PGP systems that support newer features and algorithms are able to create encrypted messages that older PGP systems cannot decrypt, even with a valid private key. Thus, it is essential that partners in PGP communication understand each other's capabilities or at least agree on PGP settings.

Confidentiality

PGP can be used to send messages confidentially. For this, PGP combines symmetric-key encryption and public-key encryption. The message is encrypted using a symmetric encryption algorithm, which requires a symmetric key. Each symmetric key is used only once and is also called a session key. The session key is protected by encrypting it with the receiver's public key thus ensuring that only the receiver can decrypt the session key. The encrypted message along with the encrypted session key is sent to the receiver.

Digital signatures

PGP supports message authentication and integrity checking. The latter is used to detect whether a message has been altered since it was completed (the message integrity property), and the former to determine whether it was actually sent by the person/entity claimed to be the sender (a digital signature). In PGP, these are used by default in conjunction with encryption, but can be applied to the plaintext as well. The sender uses PGP to create a digital signature for the message with either the RSA or DSA signature algorithms. To do so, PGP computes a hash (also called a message digest) from the plaintext, and then creates the digital signature from that hash using the sender's private key.

Web of trust

Both when encrypting messages and when verifying signatures, it is critical that the public key used to send messages to someone or some entity actually does 'belong' to the intended recipient. Simply downloading a public key from somewhere is not overwhelming assurance of that association; deliberate (or accidental) impersonation is possible. PGP has, from its first versions, always included provisions for distributing a user's public keys in an 'identity certificate' which is also constructed cryptographically so that any tampering (or accidental garble) is readily detectable. But merely making a certificate which is impossible to modify without being detected effectively is also insufficient. It can prevent corruption only after the certificate has been created, not before. Users must also ensure by some means that the public key in a certificate actually does belong to the person/entity claiming it. From its first release, PGP products have included an internal certificate 'vetting scheme' to assist with this; a trust model which has been called a web of trust. A given public key (or more specifically, information binding a user name to a key) may be digitally signed by a third party user to attest to the association between someone (actually a user name) and the key. There are several levels of confidence which can be included in such signatures. Although many programs read and write this information, few (if any) include this level of certification when calculating whether to trust a key.

The web of trust protocol was first described by Zimmermann in 1992 in the manual for PGP version 2.0:

As time goes on, you will accumulate keys from other people that you may want to designate as trusted introducers. Everyone else will each choose their own trusted introducers. And everyone will gradually accumulate and distribute with their key a collection of certifying signatures from other people, with the expectation that anyone receiving it will trust at least one or two of the signatures. This will cause the emergence of a decentralized fault-tolerant web of confidence for all public keys.

The web of trust mechanism has advantages over a centrally managed public key infrastructure scheme such as that used by S/MIME but has not been universally used. Users have been willing to accept certificates and check their validity manually or to simply accept them. No satisfactory solution has been found for the underlying problem.

Certificates

In the (more recent) OpenPGP specification, trust signatures can be used to support creation of certificate authorities. A trust signature indicates both that the key belongs to its claimed owner and that the owner of the key is trustworthy to sign other keys at one level below their own. A level 0 signature is comparable to a web of trust signature since only the validity of the key is certified. A level 1 signature is similar to the trust one has in a certificate authority because a key signed to level 1 is able to issue an unlimited number of level 0 signatures. A level 2 signature is highly analogous to the trust assumption users must rely on whenever they use the default certificate authority list (like those included in web browsers); it allows the owner of the key to make other keys certificate authorities.

PGP versions have always included a way to cancel ('revoke') identity certificates. A lost or compromised private key will require this if communication security is to be retained by that user. This is, more or less, equivalent to the certificate revocation lists of centralized PKI schemes. Recent PGP versions have also supported certificate expiration dates.

The problem of correctly identifying a public key as belonging to a particular user is not unique to PGP. All public key / private key cryptosystems have the same problem, if in slightly different guise, and no fully satisfactory solution is known. PGP's original scheme, at least, leaves the decision whether or not to use its endorsement/vetting system to the user, while most other PKI schemes do not, requiring instead that every certificate attested to by a central certificate authority be accepted as correct.

Security quality

To the best of publicly available information, there is no known method which will allow a person or group to break PGP encryption by cryptographic or computational means. Indeed, in 1996, cryptographerBruce Schneier characterized an early version as being "the closest you're likely to get to military-grade encryption."[1] Early versions of PGP have been found to have theoretical vulnerabilities and so current versions are recommended. In addition to protecting data in transit over a network, PGP encryption can also be used to protect data in long-term data storage such as disk files. These long-term storage options are also known as data at rest, i.e. data stored, not in transit.

The cryptographic security of PGP encryption depends on the assumption that the algorithms used are unbreakable by direct cryptanalysis with current equipment and techniques. For instance, in the original version, the RSA algorithm was used to encrypt session keys; RSA's security depends upon the one-way function nature of mathematical integer factoring.[2] Likewise, the secret key algorithm used in PGP version 2 was IDEA, which might, at some future time, be found to have a previously unsuspected cryptanalytic flaw. Specific instances of current PGP, or IDEA, insecurities—if they exist—are not publicly known. As current versions of PGP have added additional encryption algorithms, the degree of their cryptographic vulnerability varies with the algorithm used. In practice, each of the algorithms in current use is not publicly known to have cryptanalytic weaknesses.

New versions of PGP are released periodically and vulnerabilities that developers are aware of are progressively fixed. Any agency wanting to read PGP messages would probably use easier means than standard cryptanalysis, e.g. rubber-hose cryptanalysis or black-bag cryptanalysis i.e. installing some form of trojan horse or keystroke logging software/hardware on the target computer to capture encrypted keyrings and their passwords. The FBI has already used this attack against PGP[3][4] in its investigations. However, any such vulnerabilities apply not just to PGP, but to all encryption software.

In 2003, an incident involving seized PsionPDAs belonging to members of the Red Brigade indicated that neither the Italian police nor the FBI were able to decrypt PGP-encrypted files stored on them.[5]

A more recent incident in December 2006 (see United States v. Boucher) involving US customs agents and a seized laptop PC which allegedly contained child pornography indicates that US Government agencies find it "nearly impossible" to access PGP-encrypted files. Additionally, a judge ruling on the same case in November 2007 has stated that forcing the suspect to reveal his PGP passphrase would violate his Fifth Amendment rights i.e. a suspect's constitutional right not to incriminate himself.[6][7] The Fifth Amendment issue has been opened again as the case was appealed and the federal judge again ordered the defendant to provide the key.[8]

Evidence suggests that as of 2007, British police investigators are unable to break PGP,[9] so instead have resorted to using RIPA legislation to demand the passwords/keys. In November 2009 a British citizen was convicted under RIPA legislation and jailed for 9 months for refusing to provide police investigators with encryption keys to PGP-encrypted files.[10]

Phil Zimmermann created the first version of PGP encryption in 1991. The name, "Pretty Good Privacy", is humorously ironic and was inspired by the name of a grocery store, "Ralph's Pretty Good Grocery", featured in radio host Garrison Keillor's fictional town, Lake Wobegon. This first version included a symmetric-key algorithm that Zimmermann had designed himself, named BassOmatic after a Saturday Night Live sketch. Zimmermann had been a long-time anti-nuclear activist, and created PGP encryption so that similarly inclined people might securely use BBSs and securely store messages and files. No license was required for its non-commercial use. There was not even a nominal charge, and the complete source code was included with all copies.

In a posting of June 5, 2001, entitled "PGP Marks 10th Anniversary",[11] Zimmermann describes the circumstances surrounding his release of PGP:

"It was on this day in 1991 that I sent the first release of PGP to a couple of my friends for uploading to the Internet. First, I sent it to Allan Hoeltje, who posted it to Peacenet, an ISP that specialized in grassroots political organizations, mainly in the peace movement. Peacenet was accessible to political activists all over the world. Then, I uploaded it to Kelly Goen, who proceeded to upload it to a Usenet newsgroup that specialized in distributing source code. At my request, he marked the Usenet posting as "US only". Kelly also uploaded it to many BBS systems around the country. I don't recall if the postings to the Internet began on June 5th or 6th.

It may be surprising to some that back in 1991, I did not yet know enough about Usenet newsgroups to realize that a "US only" tag was merely an advisory tag that had little real effect on how Usenet propagated newsgroup postings. I thought it actually controlled how Usenet routed the posting. But back then, I had no clue how to post anything on a newsgroup, and didn't even have a clear idea what a newsgroup was."

PGP found its way onto the Internet, and it very rapidly acquired a considerable following around the world. Users and supporters included dissidents in totalitarian countries (some affecting letters to Zimmermann have been published, and some have been included in testimony before the US Congress), civil libertarians in other parts of the world (see Zimmermann's published testimony in various hearings), and the 'free communications' activists who call themselves cypherpunks (who provided both publicity and distribution).

Shortly after its release, PGP encryption found its way outside the United States, and in February 1993 Zimmermann became the formal target of a criminal investigation by the US Government for "munitions export without a license". Cryptosystems using keys larger than 40 bits were then considered munitions within the definition of the US export regulations; PGP has never used keys smaller than 128 bits so it qualified at that time. Penalties for violation, if found guilty, were substantial. After several years, the investigation of Zimmermann was closed without filing criminal charges against him or anyone else.

Zimmermann challenged these regulations in a curious way. He published the entire source code of PGP in a hardback book,[12] via MIT Press, which was distributed and sold widely. Anybody wishing to build their own copy of PGP could buy the $60 book, cut off the covers, separate the pages, and scan them using an OCR program, creating a set of source code text files. One could then build the application using the freely available GNU Compiler Collection. PGP would thus be available anywhere in the world. The claimed principle was simple: export of munitions—guns, bombs, planes, and software—was (and remains) restricted; but the export of books is protected by the First Amendment. The question was never tested in court with respect to PGP. In cases addressing other encryption software, however, two federal appeals courts have established the rule that cryptographic software source code is speech protected by the First Amendment (the Ninth Circuit Court of Appeals in the Bernstein case and the Sixth Circuit Court of Appeals in the Junger case).

US export regulations regarding cryptography remain in force, but were liberalized substantially throughout the late 1990s. Since 2000, compliance with the regulations is also much easier. PGP encryption no longer meets the definition of a non-exportable weapon, and can be exported internationally except to 7 specific countries and a list of named groups and individuals[citation needed] (with whom substantially all US trade is prohibited under various US export controls).

During this turmoil, Zimmermann's team worked on a new version of PGP encryption called PGP 3. This new version was to have considerable security improvements, including a new certificate structure which fixed small security flaws in the PGP 2.x certificates as well as permitting a certificate to include separate keys for signing and encryption. Furthermore, the experience with patent and export problems led them to eschew patents entirely. PGP 3 introduced use of the CAST-128 (a.k.a. CAST5) symmetric key algorithm, and the DSA and ElGamal asymmetric key algorithms, all of which were unencumbered by patents.

After the Federal criminal investigation ended in 1996, Zimmermann and his team started a company to produce new versions of PGP encryption. They merged with Viacrypt (to whom Zimmermann had sold commercial rights and who had licensed RSA directly from RSADSI) which then changed its name to PGP Incorporated. The newly combined Viacrypt/PGP team started work on new versions of PGP encryption based on the PGP 3 system. Unlike PGP 2, which was an exclusively command line program, PGP 3 was designed from the start as a software library allowing users to work from a command line or inside a GUI environment. The original agreement between Viacrypt and the Zimmermann team had been that Viacrypt would have even-numbered versions and Zimmermann odd-numbered versions. Viacrypt, thus, created a new version (based on PGP 2) that they called PGP 4. To remove confusion about how it could be that PGP 3 was the successor to PGP 4, PGP 3 was renamed and released as PGP 5 in May 1997.

Inside PGP Inc., there was still concern about patent issues. RSADSI was challenging the continuation of the Viacrypt RSA license to the newly merged firm. The company adopted an informal internal standard called "Unencumbered PGP": "use no algorithm with licensing difficulties". Because of PGP encryption's importance worldwide (it is thought to be the most widely chosen quality cryptographic system), many wanted to write their own software that would interoperate with PGP 5. Zimmermann became convinced that an open standard for PGP encryption was critical for them and for the cryptographic community as a whole. In July 1997, PGP Inc. proposed to the IETF that there be a standard called OpenPGP. They gave the IETF permission to use the name OpenPGP to describe this new standard as well as any program that supported the standard. The IETF accepted the proposal and started the OpenPGP Working Group.

OpenPGP is on the Internet Standards Track and is under active development. The current specification is RFC 4880 (November 2007), the successor to RFC 2440. Many e-mail clients provide OpenPGP-compliant email security as described in RFC 3156.

The Free Software Foundation has developed its own OpenPGP-compliant program called GNU Privacy Guard (abbreviated GnuPG or GPG). GnuPG is freely available together with all source code under the GNU General Public License (GPL) and is maintained separately from several Graphical User Interfaces (GUIs) that interact with the GnuPG library for encryption, decryption and signing functions (see KGPG, Seahorse, MacGPG). Several other vendors have also developed OpenPGP-compliant software.

In December 1997, PGP Inc. was acquired by Network Associates, Inc. ("NAI"). Zimmermann and the PGP team became NAI employees. NAI was the first company to have a legal export strategy by publishing source code. Under NAI, the PGP team added disk encryption, desktop firewalls, intrusion detection, and IPsecVPNs to the PGP family. After the export regulation liberalizations of 2000 which no longer required publishing of source, NAI stopped releasing source code.

In early 2001, Zimmermann left NAI. He served as Chief Cryptographer for Hush Communications, who provide an OpenPGP-based e-mail service, Hushmail. He has also worked with Veridis and other companies. In October, 2001, NAI announced that its PGP assets were for sale and that it was suspending further development of PGP encryption. The only remaining asset kept was the PGP E-Business Server (the original PGP Commandline version). In February 2002, NAI cancelled all support for PGP products, with the exception of the re-named commandline product. NAI (now McAfee) continues to sell and support the product under the name McAfee E-Business Server.

In August 2002, several ex-PGP team members formed a new company, PGP Corporation, and bought the PGP assets (except for the command line version) from NAI. The new company was funded by Rob Theis of Doll Capital Management (DCM) and Terry Garnett of Venrock Associates. PGP Corporation supports existing PGP users and honors NAI's support contracts. Zimmermann now serves as a special advisor and consultant to PGP Corporation, as well as continuing to run his own consulting company. In 2003, PGP Corporation created a new server-based product called PGP Universal. In mid-2004, PGP Corporation shipped its own command line version called PGP Command Line, which integrates with the other PGP Encryption Platform applications. In 2005, PGP Corporation made its first acquisition—the German software company Glueck and Kanja Technology AG, which is now PGP Deutschland AG. In 2010, PGP Corporation acquired Hamburg-based certificate authority TC TrustCenter and its parent company, ChosenSecurity, to form its PGP TrustCenter division.[13]

On April 29, 2010 Symantec Corp. announced that it would acquire PGP for $300 million with the intent of integrating it into its Enterprise Security Group.[14] This acquisition was finalized and announced to the public on June 7, 2010.

While originally used primarily for encrypting the contents of e-mail messages and attachments from a desktop client, PGP products have been diversified since 2002 into a set of encryption applications which can be managed by an optional central policy server. PGP encryption applications include e-mail and attachments, digital signatures, laptop full disk encryption, file and folder security, protection for IM sessions, batch file transfer encryption, and protection for files and folders stored on network servers and, more recently, encrypted and/or signed HTTP request/responses by means of a client side (Enigform) and a server side (mod openpgp) module. There is also a Wordpress plugin available, called wp-enigform-authentication, that takes advantage of the session management features of Enigform with mod_openpgp.

The PGP Desktop 9.x family includes PGP Desktop Email, PGP Whole Disk Encryption, and PGP NetShare. Additionally, a number of Desktop bundles are also available. Depending on application, the products feature desktop e-mail, digital signatures, IM security, whole disk encryption, file and folder security, self decrypting archives, and secure shredding of deleted files. Capabilities are licensed in different ways depending on features required.

The PGP Universal Server 2.x management console handles centralized deployment, security policy, policy enforcement, key management, and reporting. It is used for automated e-mail encryption in the gateway and manages PGP Desktop 9.x clients. In addition to its local keyserver, PGP Universal Server works with the PGP public keyserver—called the PGP Global Directory—to find recipient keys. It has the capability of delivering e-mail securely when no recipient key is found via a secure HTTPS browser session.

With PGP Desktop 9.x managed by PGP Universal Server 2.x, first released in 2005, all PGP encryption applications are based on a new proxy-based architecture. These newer versions of PGP software eliminate the use of e-mail plug-ins and insulate the user from changes to other desktop applications. All desktop and server operations are now based on security policies and operate in an automated fashion. The PGP Universal server automates the creation, management, and expiration of keys, sharing these keys among all PGP encryption applications.

The current shipping versions are PGP Desktop 10.1 (Windows and Mac-OS Platforms) and PGP Universal 2.12 . Version 3.x of Universal Server is announced for being released in March 2010.

Also available are PGP Command Line, which enables command line-based encryption and signing of information for storage, transfer, and backup, as well as the PGP Support Package for BlackBerry which enables RIM BlackBerry devices to enjoy sender-to-recipient messaging encryption.

New versions of PGP applications use both OpenPGP and the S/MIME, allowing communications with any user of a NIST specified standard.